Authentication
This API uses an API key passed via the X-API-Key request header.
API key authentication (`X-API-Key`)
How it works
Include your API key in every request using the X-API-Key header.
| Item | Value |
|---|---|
| Security scheme | apiKey |
| Header name | X-API-Key |
| Location | HTTP header |
Example requests
curl
curl -X GET "<BASE_URL>/pets" \
-H "X-API-Key: YOUR_API_KEY"JavaScript (fetch)
const baseUrl = process.env.PETSTORE_BASE_URL;
const apiKey = process.env.PETSTORE_API_KEY;
const res = await fetch(`${baseUrl}/pets`, {
method: "GET",
headers: {
"X-API-Key": apiKey,
},
});
if (!res.ok) {
throw new Error(`Request failed: ${res.status} ${res.statusText}`);
}
const data = await res.json();
console.log(data);Security notes & best practices
- Treat API keys like passwords: do not embed keys in client-side code or commit them to source control.
- Use environment variables or a secrets manager to store and inject the API key at runtime.
- Rotate keys regularly and immediately rotate/revoke any key that may be exposed.
- Use TLS (HTTPS) only: API keys must not be sent over unencrypted connections.
- Least privilege: if multiple keys/scopes exist in your environment, use the smallest access needed per app or service.
Troubleshooting
- If you receive
401 Unauthorizedor403 Forbidden, verify:- The
X-API-Keyheader is present and spelled exactly as shown. - The key value is correct and not expired/revoked.
- You are calling the correct environment/base URL.
- The
For common error formats and guidance, see Errors.
Related documentation
- Overview (base URLs, quickstart)
- Pets endpoints
- Store endpoints
- Miscellaneous endpoints
- Schemas
- Errors